If you are new to Spunk, you’ve probably seen the Search Mode option in the search interface, and wondering what in the world is Search Mode. Even some of the experienced Splunkers don’t fully understand the search modes. May be you run all of your searches in the verbose mode (not recommended), or may be all in fast mode (not recommended), or you want to play it nice and use smart mode (recommended, may be). By reading this blog post, you will fully understand what these search modes actually mean and thereby will be equipped to make the right choice. You can also find a video with demo at the end of this post. Let’s get started.

Search Modes

In Splunk search interface, the Search mode shows up right underneath the time picker. See figure 1.

Figure 1: Search Mode in Splunk search interface

When you click on the drop down arrow, you are provided with three options.

One of the most frequently asked questions in Splunk is the difference between universal forwarder and heavy forwarder. In this post, I’ll explain the difference and suggest when to use certain type of forwarder. Let’s roll.

What is a Splunk Forwarder?

A Splunk forwarder reads data from a data source and forwards to another Splunk or Non-Splunk process. It is one of the core components of Splunk platform, the others being Splunk indexer and Splunk search head. Figure 1 shows a super high level architecture of Splunk platform:

While there are many ways to get data into Splunk platform, Splunk Universal Forwarder is by far the most common way to get data in. The other ways of getting data in, sorted by the popularity, based strictly on my experience:

One of the most powerful features of Splunk, the market leader in log aggregation and operational data intelligence, is the ability to extract fields while searching for data. Unfortunately, it can be a daunting task to get this working correctly. In this article, I’ll explain how you can extract fields using Splunk SPL’s rex command. I’ll provide plenty of examples with actual SPL queries. In my experience, rex is one of the most useful commands in the long list of SPL commands. I’ll also reveal one secret command that can make this process super easy. By fully reading this article you will gain a deeper understanding of fields, and learn how to use rex command to extract fields from your data.

What is a field?

A field is a name-value pair that is searchable. Virtually all searches in Splunk uses fields. A field can contain multiple values. Also, a given field need not appear in all of your events. Let’s consider the following SPL.

index=main sourcetype=access_combined_wcookie action=purchase

The fields in the above SPL are “index”, “sourcetype” and “action”. The values are “main”, “access_combined_wcookie” and “purchase” respectively.

Fields in Splunk

Fields turbo charge your searches by enabling you to customize and tailor your searches. For example, consider the following SPL

Docker is changing – scratch that – Docker has changed the way applications are built, deployed and run. If you are completely new to Docker, I recommend reading my other post: What is Docker? An absolute beginner’s guide. There, in addition to explaining what Docker is, I walk you through how to create a docker container and run your application in it. In this post, let’s take a step further by creating a distributed service using Docker. In other words, let’s make Docker production-ready. You’ll learn the following

What is docker-compose and how to create your first docker-compose.yml ?

What is a docker swarm and how it provides a robust, scalable container platform ?

At times, you may want to strip first few characters of a word in Excel. For example, consider the following data that shows last names of some random people

If you just need the first 10 characters of the last names, you can employ the Excel formula LEFT, as shown below.

The formula is =LEFT(text, number of characters)

After you typed in the formula and pressed Enter, you should see the name HEPPENHEIMER truncated to HEPPENHEIM.

Once your results look good, simply copy the cell (in our case B2) and paste it in all other cells where you need the formula executed. (Excel automatically updates the cell number in the formula as required).

To the uninitiated, we are not talking about Docker clothing company, which makes the popular Men’s Khakis. What we are talking about is the Docker that has changed the way Software Applications are built, shipped and run. You have probably heard about Docker and how cool it is, but never really understood fully. And you are itching to finally sit down and read about it. You have come to the right place. In this blog post, I’m going to demystify Docker for you. By reading this guide fully, you will understand,

What the heck is Docker?

What makes Docker so invaluable and indispensable?

How to install Docker on your PC or MAC?

How to build images and run containers

How to create and use Data volumes with Docker

How to configure basic Networking

Ready? Let’s begin.

What the heck is Docker?

Docker is a platform for Applications to be built and run in a container with all the required software packaged in it.

But you ask, what in the world is container?

Container is a Docker process that can be run on any Linux or Windows based system. It includes everything it needs to run, including System libraries, application code, application dependencies and configuration files. (You throw Docker container at a Car’s bumper and it will still work. Just kidding.). A Docker container is a mini-machine in its own right. Containers running on a system share the Operating System Kernel with other processes (including other Docker containers).

Tip: You can list all the Docker containers running your system by running the command

docker ps

Let’s take a look at the diagram below, which shows how various components fit it.

To contrast this with how software applications are traditionally run, look at the image below.

At this point, you may be wondering, ‘Wait a minute. I’ve seen this before. Are you not talking about virtualization? Vmware and stuff?‘

At this point, if you have been doing Application Support for a while, one striking advantage should be obvious to you: consistency of environments. Think about how many times you have been told by the development team: ‘Oh, but it works in my local Dev environment. Something must be wrong in production servers. May be a jar file is missing in the classpath in Prod?, Or may be the Java minor version is different in prod?’ Painful. Docker puts an end to all this environment specific mysteries.

So, to summarize: Docker is a container solution that enables building, shipping and running applications with all the required software in a single unit. The benefits include consistency across deployments, fast startup, flexible and developer-friendly build process.

If you are in IT Operations in any role, you have probably come across either Splunk or ELK, or both. These are two heavyweights in the field of Operational Data Analytics. In this blog post, I’m going to share with you what I feel about these two excellent products based on my years of experience with them.

The problem Splunk and ELK are trying to solve: Log Management

While there are fancier terms such as Operational Data Intelligence, Operational Big Data Analytics and Log data analytics platform, the problem both Splunk and ELK are trying to solve is Log Management. So, what’s the challenge with Log management?

Logs, logs, logs and more logs

The single most important piece of troubleshooting data in any software program is the log generated by the program. If you have ever worked with vendor support for any software product, you have been inevitably asked to provide – you guessed it, Log files. Without the log files, they really can’t see what’s going on.

Logs not only contains information about how the software program runs, they may contain data that are valuable to business as well. Yeap, that’s right. For instance, you can retrieve wealth of data from your Web Server access logs to find out things like geographical dispersion of your customer base, most visited page in your website, etc.

If you are running only a couple of servers with few applications running on them, accessing and managing your logs are not a problem. But in an enterprise with hundreds and even thousands of servers and applications, this becomes an issue. Specifically,

There are thousands of log files.

The size of these log files run in Giga or even Terra bytes.

The data in these log files may not be readily readable or searchable (unstructured data)

Both Splunk and ELK attempt to solve the problem of managing ever growing Log data. In essence, they supply a scalable way to collect and index log files and provide a search interface to interact with the data. In addition, they provide a way to secure the data being collected and enable users to create visualizations such as reports, dashboards and even Alerts.

Now that you know the problem Splunk and ELK are attempting to solve, let’s compare them and find how they are achieving this. I’m going to compare them in 4 areas as follows:

Technology

Cost

Features

Learning Curve for the operations team

Got it ? I can’t wait to share. Let’s dive in.

VS

Let me share with you 8 super easy shortcuts to speed up your web browsing. As with any software tools, learning keyboard shortcuts can save lots of time and enables you to look like a pro in front of others 🙂

1.Bookmark a page with Ctrl D

While on the page you would like to bookmar, simply press Ctrl D to bookmark the page. You can choose a folder to save the bookmark. I like to organize my bookmarks by creating various folders.

2.Open a new Tab using Ctrl T, close using Ctrl W and switch using Ctrl Tab

While on a page, simply press Ctrl T to open a new tab. Note that you can use Ctrl N to open a new browser window. I personally like to open tabs instead of new windows.

To close the current tab, simply press Ctrl W.

To switch between tabs, press Ctrl Tab to jump to the tab on the right. If you need to switch to the tab on the left, simply press Ctrl Shift Tab

Note for Mac users: You have to use Ctrl key on your MAC for this shortcut (Not the Command key). On all other shortcuts, use Command key instead of Ctrl key.

3.Jump to the URL field using Ctrl L

Wherever you are on page, clicking Ctrl L takes you the URL field. You can immediately start typing the url you wnat to visit.

4.Scroll down a page using Space bar

This can be very handy if you hate scrolling down using mouse (either using a scroll wheel or using the side bar). Simply press space bar to scroll down one page. As you may have guessed, simply press Shift Spacebar to move up one page.

So we all know that Java Heap is a crucial resource, lack of which will kill your application. Naturally you will want to monitor the heap usage. Bur surprisingly it is not very straight forward to measure the heap usage of your JVM unless you have a modern APM (Application Performance Management) tool implemented. To make things worse, in Windows world, the memory you see in Windows Task Manager (a solid tool by btw) is NOT the same as the JVM heap size.

For example, let’s say you have set maximum java heap at 3GB. But it is quite possible that the memory shown by Task Manager be higher (much higher at times), say 3.5 gb or 4 gb. You can pull you hair trying to figure out where that extra memory utilization came from, or you can read rest of this article and put an end to the mystery.

Generally speaking, here is the reason memory shown by the Task Manager is more than the Heap: The memory shown in Task manager is the entire Memory footprint of the JVM and NOT just the Java Heap of the JVM. Note that the JVM is just an another process as far as Windows is concerned.

Few errors are deadlier than java.lang.OutOfMemory errors. When this happens, you application will run into a very unpredictable state, often hanging up and not processing new requests, coughing up ugly stack traces into users browsers etc. The most popular (and effective in the short run) fix for OutOfMemory error is simply restarting the Application or Application Server.

While running out of java Heap is the most common OutOfMemory error, there are indeed several types of OutOfMemory that can occur. In this post, I will show you these various types of OutOfMemory errors and what they mean.

java.lang.OutOfMemoryError: Java heap space

The most popular one. This is when JVM goes belly up and unable to allocate memory in Heap . Your application might appear hung up and extremely slow to respond to user requests.

For example, let’s say your Java application has 2GB of memory maximum (through -Xmx flag). When the entire 2GB is used up and GC is unable to reclaim any memory, the next memory allocation request for an object will fail with java.lang.OutOfMemory Error.